This codebase contains intentional vulnerabilities for training purposes. DO NOT DEPLOY TO MAINNET OR USE WITH REAL FUNDS.
This project simulates a complex DeFi yield farming protocol with multiple reward tokens, referral systems, time-based bonuses, and fee structures. Your mission: identify and document all security vulnerabilities.
YieldFarm Protocol is a decentralized finance (DeFi) yield farming platform that allows users to earn rewards by staking their cryptocurrency tokens. Think of it as a "crypto savings account" where users deposit tokens and earn interest, but with much more complex mechanics.
- Deposit LP Tokens: Users deposit liquidity provider (LP) tokens from decentralized exchanges like Uniswap
- Earn Rewards: The protocol distributes reward tokens (YFT) to stakers based on their share of the pool
- Time Bonuses: The longer you stake, the higher your reward multiplier (up to 2x after 3 months)
- Referral System: Users can invite friends and earn 5% commission on their referral's rewards
- Multiple Rewards: Some pools offer bonus tokens on top of the primary YFT rewards
- Withdraw: Users can withdraw their staked tokens plus accumulated rewards at any time
- Conduct a comprehensive security audit
- Document all vulnerabilities found
- Classify severity (High/Medium/Low)
- Provide exploit scenarios where applicable
- Suggest remediation strategies
# Install dependencies
forge install
forge buildsrc/
├── MultiTokenYieldFarm.sol # Main farming contract
└── YieldFarmToken.sol # Reward token
- YieldFarmToken: Reward token contract
- MultiTokenYieldFarm: Main farming protocol
- Mock LP Tokens: For testing different pools
For each vulnerability, document:
## Vulnerability: [Title]
**Severity**: High/Medium/Low
**Location**: Contract.sol, Line X
**Category**: Reentrancy/Arithmetic/Access Control/etc.
### Description
[What is the vulnerability, include code snippet?]
### Impact
[What damage can it cause?]
### Proof of Concept
[Code or steps to exploit]
### Recommendation
[How to fix it]NOTE❗: Coded PoC is required for High and Medium issues
- Comprehensive audit report with all findings
- Exploit contracts (where applicable)
- Test suite covering discovered edge cases
- Risk assessment and recommendations
Remember: The goal is learning, not just finding bugs. Understand the why behind each vulnerability and how it could manifest in real protocols.
Good luck, and happy hunting!